CVE-2026-33761 | WWBN AVideo up to 26.0 Email Message list.json.php User::isAdmin authorization

VDB-353921 · CVE-2026-33761 · GCVE-0-2026-33761 WWBN AVIDEO UP TO 26.0 EMAIL MESSAGE LIST.JSON.PHP USER::ISADMIN AUTHORIZATION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.2 $0-$5k 0.36+ Summaryinfo A vulnerability, which was classified as problematic, has been found in WWBN AVideo up to 26.0. The impacted element is the function User::isAdmin of the file list.json.php of the component Email Message Handler. The manipulation leads to authorization. This vulnerability is documented as CVE-2026-33761. The attack can be initiated remotely. There is not any exploit available. It is suggested to install a patch to address this issue. Detailsinfo A vulnerability was found in WWBN AVideo up to 26.0 and classified as problematic. This issue affects the function User::isAdmin of the file list.json.php of the component Email Message Handler. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Impacted is confidentiality. The summary by CVE is: WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-33761 since 03/23/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. By approaching the search of inurl:list.json.php it is possible to find vulnerable targets with Google Hacking. Applying a patch is able to eliminate this problem. Productinfo Vendor WWBN Name AVideo Version 26.0 License open-source Website Product: https://github.com/WWBN/AVideo/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.3 VulDB Meta Temp Score: 5.2 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 5.3 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Authorization CWE: CWE-862 / CWE-863 / CWE-285 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Google Hack: 🔒 Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Timelineinfo 03/23/2026 CVE reserved 03/27/2026 +4 days Advisory disclosed 03/27/2026 +0 days VulDB entry created 03/27/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-33761 (🔒) GCVE (CVE): GCVE-0-2026-33761 GCVE (VulDB): GCVE-100-353921 Entryinfo Created: 03/27/2026 15:47 Changes: 03/27/2026 15:47 (64) Complete: 🔍 Cache ID: 99:DCB:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸